Journal of Electronics (China)

, Volume 25, Issue 4, pp 511–518

An intelligent method for real-time detection of DDoS attack based on fuzzy logic



The paper puts forward a variance-time plots method based on slide-window mechanism to calculate the Hurst parameter to detect Distribute Denial of Service (DDoS) attack in real time. Based on fuzzy logic technology that can adjust itself dynamically under the fuzzy rules, an intelligent DDoS judgment mechanism is designed. This new method calculates the Hurst parameter quickly and detects DDoS attack in real time. Through comparing the detecting technologies based on statistics and feature-packet respectively under different experiments, it is found that the new method can identify the change of the Hurst parameter resulting from DDoS attack traffic with different intensities, and intelligently judge DDoS attack self-adaptively in real time.

Key words

Abnormal traffic Distribute Denial of Service (DDoS) Real-time detection Intelligent control Fuzzy logic 

CLC index



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    W. E. Leland, M. S. Taqqu, W. Willinger, et al. On the self-similar nature of ethernet traffic (Extended version). IEEE/ACM Trans. on Networking, 2(1994)1, 1–15.CrossRefGoogle Scholar
  2. [2]
    V. Paxson and S. Floyd. Wide area traffic: The failure of Poisson modeling. IEEE/ACM Trans. on Networking, 3(1995)3, 226–244.CrossRefGoogle Scholar
  3. [3]
    T. E. Ozkurt, T. Akgul, and S. Baykut. Principal component analysis of the fractional brownian motion for 0<H<0.5. Proceedings of the International conference on Acoustics, Speech and Signal Processing (ICASSP’2006), Toulouse, France, May 21–24, 2006, vol.3, 488–491.Google Scholar
  4. [4]
    Y. G. Kim, A. Shiravi, and P. S. Min. Congestion prediction of self-similar network through parameter estimation. Network Operations and Management Symposium, Vancouver, Canada, April 5, 2006, 1–4.Google Scholar
  5. [5]
    Guanghui He and J. C. Hou. An in-depth, analytical study of sampling techniques for self-similar internet traffic. The 25th International Conference on Distributed Computing Systems, Columbus, OH, June 6–10, 2005, 404–413.Google Scholar
  6. [6]
    Y. Xiang, Y. Lin, W. L. Lei, et al. Detecting DDoS attack based on network self-similarity. IEE Proceeding on Communications, 151(2004)3, 292–295.CrossRefGoogle Scholar
  7. [7]
    H. F. Zhang, Y. T. Shu, and Oliver Yang. Estimation of Hurst parameter by variance-time plots. Proceedings of the IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, Victoria, BC, Canada, Aug. 20–22, 1997, vol.2, 883–886.Google Scholar
  8. [8]
    A. Popescu. Traffic self-similarity. IEEE International Conference on Telecommunications (ICT’2001), Bucharest, Romania, June 8, 2001, 20–24.Google Scholar
  9. [9]
    D. Guo, X. Wang, and J. Zhang. Fast real-time Hurst parameter estimation via adaptive wavelet lifting. IEEE Trans. on Vehicular Technology, 53(2004)7, 1266–1273.CrossRefGoogle Scholar
  10. [10]
    T. Hagiwara, H. Doi, H. Tode, et al. High-speed calculation method of the Hurst parameter based on real traffic. Proceedings of the 25th Annual IEEE Conference on Local Computer Networks, Tampa, Florida, USA, Nov. 8–10, 2000, 662–669.Google Scholar
  11. [11]
    Information Systems Technology Group of MIT Lincoln Laboratory. The 1999 DARPA intrusion detection evaluation data set., June 18, 2006.
  12. [12]
    Qin Yu, Yuming Mao, Taijun Wang, et al. Hurst parameter estimation and characteristics analysis of aggregate wireless LAN traffic. Proceedings of the International Conference on Communications, Circuits and Systems, Hong Kong, China, May 27–30, 2005, vol.1, 339–345.Google Scholar
  13. [13]
    Lixin Wang and Yingjun Wang. A Course in Fuzzy Systems & Control. 1st ed. Beijing, China, Tsinghua University Press, 2003, 55–66 (in Chinese). 王立新, 王迎军. 模糊系统与模糊控制教程. 第一版. 北京, 清华大学出版社, 2003, 55–66.Google Scholar
  14. [14]
    M. Sato and Y. Sato. Fuzzy clustering model for asymmetry and self-similarity. Proceedings of the Sixth IEEE International Conference on Fuzzy Systems, Barcelona, Spain, July 1–5, 1997, vol.2, 963–968.Google Scholar
  15. [15]
    H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, Davis, CA, October 10–12, 2001, 85–103.Google Scholar
  16. [16]
    Y. Soejima, E. Y. Chen, and H. Fuji. Detecting DDoS attacks by analyzing client response patterns. Proceedings of the 2005 Symposium on Applications and the Internet Workshops, Saint Workshops, Italy, Jan. 31–Feb. 4, 2005, 98–101.Google Scholar
  17. [17]
    Qiang Yang and Ke Wang. Web-log cleaning for constructing sequential classifiers. Applied Artificial Intelligence, 17(2003)5, 431–441.CrossRefGoogle Scholar

Copyright information

© Science Press, Institute of Electronics, CAS and Springer-Verlag GmbH 2008

Authors and Affiliations

  1. 1.College of ComputerNanjing University of Posts and TelecommunicationsNanjingChina
  2. 2.Research Institute of Computer TechnologyNanjing University of Posts and TelecommunicationsNanjingChina

Personalised recommendations